Hacker News new | past | comments | ask | show | jobs | submit login
Is your chip card secure? Much depends on where you bank (krebsonsecurity.com)
155 points by MindGods 15 days ago | hide | past | favorite | 177 comments

So this effectively lets you use chip data to recreate a magnetic stripe, which passes validation when the banks don't check against the right CVV.

Yeah, not great. OTOH I worked on an early EMV implementation almost 20 years ago now, and it was obvious even then that mag stripe was a huge security problem. I'm amazed we're still talking about mag stripes and issuing cards with them in 2020.

They should have been retired over a decade ago.

They were retired over a decade ago (in all main use-cases except where connectivity goes down - magstripe is the backup, but thoroughly validated option).. except in the US where there's this idea that implementing chip & pin is a barrier for sales and hurt small business because "upgrading the terminal is expensive" (no it's not - if you can't account for $150 every 10 years on taking payment, you shouldn't be in business - or just use cash).

My guess is lobbying by insurance and reinsurance drove most of that conversation, because the only downside I've seen from chip & pin implementation is that you have to touch the terminal. Paywave and contactless are now mainstream, so this is a non-issue.

> magstripe is the backup, but thoroughly validated option

Chip and pin is also used for offline transactions. Never once in Europe have i signed/seen someone sign https://www.emv-connection.com/emv-faq/#q9

Pin is verified on card,not over network.

I used the signature last year in Germany, when the cashier stripped my card without asking first whether I wanted to pay using my PIN or the stripe.

upgrading the terminal is expensive

It's not the terminal upgrade that's the barrier. At many businesses, if you upgrade the terminal you also have to replace the point-of-sale system. Then you have to integrate it with your existing backend sales system, fulfillment system, inventory system, and more. And you're lucky if all of that can then be integrated into your accounting system. Then you have to retrain all of the people who will ever touch any part of the entire process.

You see it as upgrading the terminal because that's all you see. But that is the very small tip of a very large iceberg.

Weird how the whole globe managed that, from small city states over third world nations to old established countries. And yet...

A lot of the third world leapfrogged to mobile payments and never had widespread credit card adoption. So it's more like 4% of the world hasn't done a thing the 10% of the world that HN perceives as "rest of the world" has done.

Here in the UK the government engaged in a big campaign to encourage companies to support it due to the added security. Within a year pretty much every shop could accept chip and pin. None of them suffered financial difficulties as far as I am aware.

You Americans need to stop whining and get on with it like the rest of the world has. I mean, honestly, most shops here are now moving on to accepting contactless payments, so you're two generations behind. Makes America look like backward yokels.

Yeah, no. Europe and Asia-Pacific all adopted chip and pin just fine (minus China).

> Europe and Asia Pacific (minus the majority of Asia Pacific),

so 4% of the world hasn't done something ~15% of the world has done in a situation that isn't even relevant to at least 18% of the world.

There was literally nothing stopping the US from following suit apart from culture and lobbying. You're the richest country in the world, it'd be a rounding error.

Other commenters have given plenty of reasons. I never understand the obsession Europeans have with getting other parts of the world to be identical to them. Worst part is when we do adopt your practices you start whining about how we copied you.

The interface of the terminal is usually decoupled, there are adapters built for terminals to retro-fit older systems.

Thanks to COVID contactless payments in my country are at 60% now.

First I would love to find a way to find which banks or processors are vulnerable.

Second is, is there a way to gain the safety of the chip and pin with online purchases. Currently I obscure my CC info by using PayPal where available and when in the real world I live by Apple pay. If I could disable access to my card by stripe for real world where Apple pay is not usable I would.

> Second is, is there a way to gain the safety of the chip and pin with online purchases.

Yes, there's this 2FA thing where you're redirected to your bank's website and you have to enter the code they send to your phone. I've had this for ages and I'm surprised there are still places where it's not mainstream.

Magstripes tho? I remember using mine when I visited the US in 2016 and that's about the only time when I used it. It was weird too, because most terminals had the chip slot but cashiers insisted that you swipe. The most bizarre part is that sometimes the transaction went through with just the swipe — no PIN, nothing.

>Second is, is there a way to gain the safety of the chip and pin with online purchases.

In the UK we have had "Verified by Visa" and "Mastercard 3D Secure" for many/most online transactions for a long time (12 years?)

It's effectively a form of 2FA, the transaction flow diverts to a bank portal where you authorise the transaction with a password, or a selection of digits from a passcode. This never goes near retailer systems.

It's not the same level.of assurance as EMV, but it is something, and any transactions that don't go via that system are more likely to be declined or flagged as fraud.

How do those work over there? We have both in the US as well, but I've always refused to use them because signing up for either seems to transfer a significant chunk of the liability for fraudulent transactions away from the bank and on to the consumer.

They're kind of half-arsed. So far as it's possible to tell, nobody who knew anything about UX or digital security was anywhere close to these projects.

So, your bank opts in to the Verified by Visa scheme (they can't opt individual account holders out, or at least my otherwise very co-operative "good" bank said they can't when I asked years ago)

If an online retailer performs Authorisation the API they talk to will examine your card number and conclude it needs this extra check, so it tells them to forward your browser to an HTTPS site you've never heard of, in the arcot.com domain. I guess if you're a huge bank you've heard of Arcot, but consumers haven't. The site claims to be from your famous bank brand, but the domain name clearly isn't, anybody who has learned anything about phishing ought to run screaming.

The arcot.com HTTPS site looks at the transaction and if you've never done this before it (presumably always? but maybe if there's a fraud flag this doesn't happen?) registers you for the "Verified by Visa" service. You can pick "No, I'm busy right now, just let me buy stuff" and it will give you a few passes, but I believe eventually it's mandatory.

Signing up requires giving them some details about the card, and also effectively creating yet another secret password. (Because we all know secret passwords are great right?). There might be an option to pick a picture or text greeting so you'll "know it's them" although of course a sophisticated attacker could duplicate that part...

On subsequent visits you may be asked for that secret if you've created it. Or, it might give up asking and just say everything is fine before returning you to the original payment flow. My transactions are reassuringly boring so I am never asked for anything these days.

The whole thing looks like it was built by people who were impressed by IE6 and are planning to buy a 17" display soon. The cryptography would be impressive for the IE6 era and not so much today, it's TLS 1.2, it has some basic precautions, but it's scarcely Fort Knox, your GMail is better protected.

Ah, actually that sounds pretty much exactly the same, except I've only ever been redirected once or twice. I think the only difference is that I didn't realize that it would eventually force you to sign up.

Here in Finland Verified By VISA and Mastercard 3D Secure will just present the same 2-factor bank authentication you already use for your non-card online payments and bank transfers. There are no separate credentials or sign-up steps.

Practically all domestic online retailers here have used those over 10 years now, and AFAIK there is no opt-out (at least for regular bank-issued consumer VISA/MC cards).

You don’t sign up to anything, it’s with the issuing bank or provider.

Yeah, whenever I hit one of those, I immediately back out of the transaction. I'm like, "Wait, I'm supposed to be paying business X, why am I at a different web site? Something's fishy here. Fuck this."

Actually 3DS is much more reliable than giving credit card numbers to random online merchant that will face data breach sooner or later.

Maybe it's not two "Factor" auth because ID/pass and card number is both knowledge of secret.

Hm, that makes me wonder; is it possible to demagnetize or scramble the data on the mag stripe without harming the chip? I'm not sure how sensitive the chips are to magnetic interference, but if you can pull it off, you can make your own chip-only cards.

There certainly is. I have done this with a non-payment card. All you need is a magstripe reader/writer. A few tens of passes of writing random data to the magstripe should do the trick.

Not sure how this would impact the usability of your card though, in case you do end up relying on the magstripe.

Maybe it would make sense to limit magstripe transactions to $40 or let people decide their own limit.

If a transaction doesn't get made because it was over $40, that represents unacceptable missed profits, if some unfortunate consumer gets their identity stolen[1], well, they should have been more careful.

It would make sense to eliminate magstripes, to limit them to $40, to let people decide their own limit, or any number of other things - the trouble is that the incentives of the businesses, banks, and credit card companies are more to make every transaction a success and to blame the consumer when they're too successful.

[1]: Yes, I recognize this is bad framing, the fault isn't with the victim nor really with the perpetrator but the incompetent designer of the lock.

> If a transaction doesn't get made because it was over $40, that represents unacceptable missed profit

Contactless already has transaction limits so clearly payment method-specific transaction limits do not create "unacceptable missed profit".

> Contactless already has transaction limits so clearly payment method-specific transaction limits do not create "unacceptable missed profit".

This isn't true with US payment cards, in my experience. I've charged over $1000 on a credit card multiple times while using contactless methods (both RFID and Apple Pay, specifically). I was also able to do the same with my (American) cards while in Europe.

Apple/Android pay is generally unlimited here in the UK, but using contactless cards is limited to £40, blanket.

This is because contactless card payments have no cardholder verification.

I am quite surprised if you can do that with your cards in Europe as the limit is usually enforced on/by the merchant, not the card.

Can tap-to-pay with no verification up to 500NOK (approximately $55), over that amount I have to type my pin. No limit with pin as far as I can tell.

> the fault isn't with the victim nor really with the perpetrator

The perpetrator isn't at fault?

The perpetrator defrauded the bank, not you. The fault for your account not showing the correct balance should be on the bank.

That seems completely orthogonal to my question.

The perpetrator is in one sense to blame but this isn't a good justification for lax security on the part of the card issuers.

You wouldn't leave your door unlocked at night because it's the burglar's responsibility to be a better citizen.

I believe the way it works (in some European countries at least - perhaps also the UK) is that if the retailer uses mag stripe then effectively they bear the fraud risk, whereas with chip and PIN the bank/card company does (not sure how this works for card holders who are unable to use chip and PIN due to disabilities, which is another reason mag stripes haven't gone away completely). This seems like a reasonable compromise to me.

This is called "Liability shift" yes. Shift is imposed where a retailer cannot/ does not accept chip cards rather than where for whatever reason a chip card wasn't able to be used. In the US shift was supposed to be imposed everywhere left this summer, I expect COVID-19 is offered as another reason to yet again delay, but retails stores are already covered, it's mostly things like some unattended 24 hour gasoline pumps that are still mag-stripe in the US.

Also most (all?) card holders don't have a problem with the chip, they may be unable to remember a PIN, or unable to enter one, in which case the chip terminal requests a human witness them signing something or asks the retailer to accept just the chip. Americans using European terminals may not have a PIN either, their chips tell the terminal this user doesn't have a PIN, they may be asked to sign something instead.

Americans using European terminals may not have a PIN either, their chips tell the terminal this user doesn't have a PIN, they may be asked to sign something instead.

Or, in the case of unmonitored "kiosks", the American is just left with a failed transaction. This was my experience with train ticket terminals in Italy and unattended petrol stations in the UK. Fortunately, in both cases, my secondary card has a PIN enabled. It was irritating that my primary card didn't offer a PIN, so I cancelled it upon my return to the US.

Edit - this was 5 years ago, may have changed since, not sure as I changed cards to one that explicitly offered chip/pin at the time.

I don't think disability requires using the magstripe. The chip can mark what security is required, just like many American cards are "Chip and Sign".

I don't know if this is still the case but I think some people with eg dementia or some rare memory disorders kept mag stripe cards (which they'd previously been issued with very long expiry dates) when chip and PIN was first introduced.

This kind of thing is done today with EMV cards to determine whether the customer needs to enter a PIN or not. Under a threshold: swipe and go because the level of possible fraud is acceptable vs. the impact on the customer. Above a threshold, PIN required.

Not in the US.

Won't work for gas stations which are the last holdouts.

There's no reason why contactless EMV should not be required even at a gas station (not needing a limit).

Gas pump readers are very expensive. The solution for the wise customer is to go inside and use the POS terminal at the counter if possible.

Old school gas station attack: many gas stations queue and forward transactions for reconciliation in batches, waiting to do so when they don't have connectivity. People have taken advantage of this fact by climbing up on the roof of stations with satellite connections for their POS terminals, tin-foiling them or otherwise blocking their transmission, then buying a bunch of gas with a stolen credit card. Head down to the next gas station, lather rinse repeat, and by the time things get figured out you've got maybe a hundred gallons of gas and a bunch of candy bars you can trade for meth (this is not a Bond Villain-level crime).

> The solution for the wise customer is to go inside and use the POS terminal at the counter if possible.

That's irrelevant to this attack. Bad guys aren't obliged to use that terminal, and they're the ones relying on access to a mag-stripe reader.

However for that "old school" attack EMV could help if it was deployed. Because EMV cards have state, they can have arbitrary rules about how often they're willing to perform offline transactions and how much value for. So e.g. a card can decide it won't do more than five offline transactions or more than $100 of transactions without going online.

I should have been more clear: the first sentence was meant for defeating skimmers and the like. Nothing to do with helping the retailer, just the end consumer.

You're entirely correct with EMV. Additionally, more gas stations are moving away from the old satellite connections, and an m2m cellular card in a POS terminal is a lot harder to shut down (at least without the cashier noticing).

The whole point of the scheme this HN post is about is that it doesn't need to skim the mag-stripe.

Here's how this goes (everything in this story actually happened in England years ago, but that's before a change this story says wasn't entirely effective in eradicating the fraud)

Sarah lives in England where they are getting EMV terminals everywhere. Her cousin Terry lives somewhere which doesn't yet have terminals everywhere. Let's say it's Belgium, although in fact it was not.

Sarah owns a dozen petrol stations (that's what they call gas stations in England) and there are shiny EMV terminals arriving. Terry sends over instructions and electronic kits. The terminals are hollow and the instructions explain how to open one without the "anti-tamper" mechanism noticing and add more electronics in the convenient space.

Sarah teaches all her staff how to use the new terminals. She of course doesn't mention they've been tampered with.

You go to a petrol station, fill up your car, and hand your card to the clerk. "We got new machines" says the clerk and hands the card back. You put your card in the machine, and enter your PIN. I guess this is more secure?

In Belgium, Terry receives the magnetic stripe details of your card, retrieved from the chip using a convenient "Hey what is your mag-stripe?" API and sent over by a mobile chip in that circuit Sarah fitted. Terry has a mag-stripe writer and turns a cheap plastic card into a good-enough clone of your bank card. He sells this card to street level criminals in Belgium for €100, Sarah will get £10 per card as her cut.

Those street-level Belgian crooks need mag-stripe terminals because their cards have no chip, but you not swiping made no difference.

Edited to add:

While we're here. This is a recurring security problem. Old insecure systems can ruin it for new secure systems.

Imagine you have a brand new, up-to-the-minute TLS 1.3 only website. You use a cert for www.example.com with a nice shiny Elliptic curve public key & the corresponding Elliptic curve private key is in an HSM at a protected site, no problems. What can go wrong? Unknown to you, some numb-nuts who was angry about the company choosing Slack set up an "experimental" IRC server doing SSLv3 on port 6667 of their laptop using a *.example.com wildcard RSA cert that's still valid until next month. Bad guys who get even fairly limited access to your network can attack that IRC server, which is running on a high port on some idiot's laptop computer in corporate, not the secure datacentre where the web server is, and use it to flawlessly impersonate www.example.com if they can get on-path. They know this trick can work as soon as they find the IRC server, no special insight is needed.

You sure? Most of the gas stations I use to fill up have me leave the card in for the chip reader, as opposed to slide it in and out quickly as before.

I travel a decent amount in the Western US, mostly in California and Oregon. I have never once encountered this.

I've seen it in Arizona, Nevada, and New Mexico. California should get on board.

Stumbled across my first one of these the other day.

It's not obvious at all that you should leave it in - particularly when accustomed to the ubiquitous slide-in-and-out-fast kind.

This one tried to lock my card in, but when I reflexively yanked on it to pull it out, somehow it lost contact with the chip or something. What followed was a stuck card in this machine, and the machine stuck on "verifying"... no cancel buttons worked either. Eventually, after a long and disconcerting minute had passed, it finally released my card and told me to go inside for payment.

Definitely not user friendly in the slightest... and just an awful way to start your morning on your way to work.

The chain "Speedway" has chip card readers at their pumps, at least in my region (western NY).

The New York Speedways are all conversions from Mobil stations and they just upgraded their pumps. Few other stations are supporting chip cards.

Until EVs are more mainstream I guess, but that won't probably be for another 5-10 years.

Haha. A bit unrelated, not sure how it works in the rest of the world, but inNorway EV charging stations doesn’t even have a card reader, you have to sign up with an app and register your card there. And each charging company has their own app. Absolutely bonkers. You can get a chip for your key chain and tie it to all your apps so you can read that at the charging station, but still.

I own a Tesla, and there are not card readers at superchargers.

Mag stripes via fingerprinting of the actual stripe, can make make them more secure than EMV or contactless.

Both the standard card data and the underlying magnetic fingerprint of the card is read, all in a single swipe. [1]

[1] https://www.magtek.com/product/magnesafe-intellihead

That's still not really "more secure" than EMV, which includes active security measures like PIN validation capabilities, various active anti-fraud measures like offline velocity checks, transaction amounts encoded in cryptographic tokens, and which can in theory be remotely disabled etc.

I guess it makes it "more /just as able to be authenticated as a genuine card" though.

Yes, I hear you. It would then come down to what's easier to do correctly, authenticate an EMV transaction or read and validate the fingerprint of a card's mag stripe.

To the best of my knowledge, I don't think anyone has been able to replicate a mag stripe's fingerprint on another card's mag stripe. However, this security measure has probably seen a few orders of magnitude less adversaries than EMV and RFID have.

I will never understand why magstripe is still used in the US. Even after EMV became “mandatory” there are still magstripe transactions happening and when you are presented sith a chip reader it’s slow and awkward. Why is it such an inferior experience compared to Europe?

My understanding for part of it is that magstip readers were much more common in the US, and businesses (a) didn't want to pay to upgrade all their terminals and (b) don't want to turn away a purchase because a customer doesn't have a chip or the chip isn't working.

That may have been the case, but pretty much everywhere I go stores have newer EMV capable terminals (e.g Ingenico etc). The only place I really use mag swipe now is a gas station pump (who have no excuse not to switch to contactless EMV).

You'd think with COVID-19, there'd be a rush to move to contactless payments.

Yeah I actually choose gas stations that support contact less payments. No card contact + one disposable glove is the way to go.

Overkill.. Maybe? But it costs me nothing so I'll take the peice of mind.

I'm really not trying to be rude here, but a disposable plastic glove isn't a "cost nothing" scenario. Plastic pollution is bad. Climate change is real. Trash islands are real. Microplastics in the entire food chain is real. I admire your dedication to stay safe, and don't want you to stop feeling safe, but we must all begin to accept what we're doing to the environment.

Understandable, but the cost to produce a glove is still very minor. And the way you solve pollution and microplastics from items in the trash can is by making sure that trash from cans is handled appropriately. Not by having consumers reduce their trash by a few percent. The climate damage is the only thing where you can really put responsibility on the consumer, and that can be fixed with a well-directed fraction of a penny.

>the cost to produce a glove is still very minor.

It's not about your individual glove. It's the 300million-ish people using 10 disposable gloves a day.

>And the way you solve pollution and microplastics from items in the trash can is by making sure that trash from cans is handled appropriately. Not by having consumers reduce their trash by a few percent.

How can you handle the level of trash we have responsibly? what's the plan? You seem to know, so please share it with the world so we can save the planet.

I totally understand your point about the environment.

Given that I only fill my car once every 14 days, and only use 1 single glove for the hand touching the handle, I'm not overly concerned about the generated waste. Even if every American did this during the pandemic it would be dwarfed by the number of gloves used by hospitals even before covid.

I certainly agree that plastic waste is a major issue, and I'll certainly re-evaluate my current method when we aren't mid pandemic, but I'm confident there's simpler ways to reduce plastic waste in more meaningful amounts. I'm pretty sure that I've removed more unnecessary packaging plastic from purchased goods in the past month then gloves I've personally used total this year (I dabble with stuff you want to wear gloves with).

It's literally not about you, the individual. I'm not trying to chastise you, but we, as a society, need to consider waste. If 300 million people have your mindset, then that's 300million plastic gloves in a landfill every 14 days, which is too much. And I assure you that other people don't have your mindset.

The trash from trash cans can be buried safely in landfills without much difficulty. The big problems arise when we cut corners or have plastic trash that is not in trash cans.

A lot of people think COVID-19 is indeed the thing that will tip this into the mainstream default: https://www.bankingdive.com/news/will-covid-19-push-contactl...

I hope so. On a related note, I don't know if this is just me, but I literally have not used cash since March (although I keep hearing about a "coin shortage", perhaps this is people just not using coin anymore).

Same. And yes, that's my understanding plus other factors: low usage of mass transit ticket machines and laundromats. Plus few people rolling coins and bringing them into a bank right now.

Lots of gas stations do use the chip, but it's the same process of inserting the card.

In New England, I've never seen anything other than a magstripe insert-remove type reader in a gas pump (although I think some do contactless EMV).

FWIW, At least in MA, it's rare to see a gas pump older than 10 years -- I think due to both Federal and MA State UST laws that require fairly recent (e.g. 2019) minimum standards such as double walled, properly cathodized, leak detecting tanks along with subsidies for tank replacement that have resulted in pretty much every gas station around here being totally renovated in the past 5 years or so.


Never been to a pump that uses chip personally, unless you pay inside. I've seen ~5 with a contactless tap point, but only got about 2 of them to work.

This is in Texas, for reference.

pretty much everywhere I go stores have newer EMV capable terminals

Go more places.

I know of a national restaurant chain and a regional coffee chain that are swipe only.

Also, Lowe's was swipe only the last time I was in there, but that was a several months ago.

Magstripe readers were ubiquitous in the UK 15 years ago. The banks started issuing chip and PIN cards and terminals, then did the liability shift a couple of years later. That shift is what's needed to make retailers switch, and is what still hasn't happened in the US.

I was wondering too. But here in US the equation is bit different. The CC networks have already backed the cost of magstripe fraud in the business model. They convinced Americans to pay an elevated fee to balance the inevitable fraud induced by magstripe. Now, with EMV in theory the fees should drop as there is less fraud than with magstripe. Having magstripe around is a way to justify the fees. That is my understanding that it would be difficult now to explain to Americans that they paid elevated fees for so long to pay for fraud that was no fault on their own.

Because many consumers don't see chip and pin as an upgrade (though contactless is nice). So it depends on the banks to decide whether it's worth it. With debit cards, the extra security is valuable. But with credit cards it isn't really too important to me because I can just reverse fraudulant charges.

As for the experience of using each, it seems to depend a lot on the machines. I did not like using chip and pin in Europe because it seemed to take longer and required more interactions. With the magstrip I pull the card out, swipe it, put it away. I'm never waiting for anything. Sometimes I'd have to swipe it twice, but that didn't happen too often to me. But it seems like different people have very different experiences with these things.

edit: this mostly applies to credit cards, which are much more common in the US than in Europe. But the lack of significant benefit for credit cards to use this technology could have resulted in momentum that slowed the adoptation of it for debit cards.

Why is it such an inferior experience compared to Europe?

Legacy hardware.

Europe was late to the credit card game, so when it finally got on board it had newer gear. The Americans already had their stuff in place and it worked.

Unlike computer nerds who will upgrade their computers just to feel current, businesses don't throw around money unless they have a very good reason.

I don't think so, as far as I know all "old" terminals had to be replaced or upgraded in the EU some years ago to comply with the new chip technology.

Edit: so it's more about the willingness to require cost for upgrades then there being costs for upgrades, I thing.


A few years ago NFC terminals weren't really popular around here, but nowadays it's hard to find a terminal without the support. I think this applies for quite a few EU countries.

NFC technology is less secure, but every purchase above 25 EUR requires PIN verification, so there is a limit on how much can be stolen.

Yes, even in Berlin you most times have NFC support if they support cart payment by now. And Berlin is probably one of the cities with the most "cash"-only shops/restaurants/bars/* in Germany and really no one expects you to have NFC support or card support at all (if you are a small shop/*).

EDIT: Btw. they lifted that limit temporary to a much higher value (something >50€) so that less people have to touch the numpad when shopping (at least in/for larger grocery stores).

What is crazier still, is I wasn't even sent a chip & pin from my bank until just last year. At least they did everything all at once, chip and contactless. But I'm still waiting for Capital One to send me a contactless card (its my preferred card to use internationally where contactless seems to be the standard).

If you have a (modern, smart) phone you can teach the phone this Capital One card and it'll "be" that card contactlessly when you travel, one less thing to carry.

I deliberately own (special ordered from my bank) a card that has no contactless, and it's also the card my phone "is" so all contactless transactions with that card are through the phone, the bank never issued a contactless card so it's literally impossible that the card itself was used for a contactless transaction.

Using the phone this way allows me to walk around the supermarket, scanning product codes with the phone, then walk to the checkout, scan the "I'm done" code and hold the phone near the contactless checkout as payment. No human interaction, very little touching stuff, only need the phone which I'd carry anyway, no cards or cash.

I actually had trouble the a year ago when traveling in the UK (I miss travelling), I was using my capital one through apple pay, but it would get declined constantly and shut off because the UK doesn't pass the CVV into the transaction. I never found a clear pattern for when fraud detection would occur, but one app that caused it constantly was Deliveroo.

> At least they did everything all at once, chip and contactless.

I got contactless cards about 10ish years ago, then when those renewed, it was back to stripe (and embossed) only; then chip and stripe and embossed; then chip and stripe but mostly flat; now this year I'm getting chip and stripe and contactless and apparently only Amex is embossing for carbon copy imprinters.

I don't get it as well, I've never seen magstripe being used in person, this technology has been retired since the 90s in France at least. Magstripe tech sounds kind of VHS to me.

Guessing Visa can "fix" this problem in the same way they fix the fallback to magstripe: make the vendor pay a fee for noncompliance.


They absolutely could, but I was told by folks there that the merchants were pushing back extremely heavily, hence the moving deadline to get rid of stripes.

They were pretty clear that gas pump readers were the biggest issue, as customers dislike centralized outdoor readers or having to go into the establishment, stand in line, and use their counter POS system.

That’s exactly how it should be: party at fault gets charged.

Hi. I have worked for one of the acquirers (card acceptors) for couple of years, designing and implementing credit card terminals and security infrastructure. I was also security officer.

Basically, credit cards can be very secure. But it also costs. Banks do simple cost/benefit decisions and may in many cases significantly lag behind in technology for various reasons. They get away with this because consumers have absolutely no idea how cards differ and what the options are.

But also banks take on all the liability for misuse. Customers aren’t liable for fraudulent charges, that’s why America has lagged behind Europe on rolling out chip cards, customers don’t demand it because they don’t pay the price for card fraud.

European customers aren't liable for fraudulent charges either, I don't really understand your logic here.

Everyone pays the price of fraud and it's probably one major reason that explains high interchange fees in the US.

No, US interchange fees pay for "reward" cards. You charge everybody 5% extra, you give Karen 5% cashback, she thinks you're "rewarding" her and everybody else get screwed, the payment network keeps the difference.

The EU caps the interchange fee, does that mean the networks exit the business because they can't make money? No. Does it mean they've eliminated fraud? No. But it does mean they can't pay Karen 5% "reward" so they don't. There aren't any cards like that in Europe. For everybody else it makes the system cheaper.

I can assure you they use part of the interchange fee to cover fraudulent transactions or they offload the risk via insurance covering fraudulent transactions. There’s no way the issuing banks or Visa/MC just eat the fraud charges, we all pay for it.

Yes, rewards cards are paid for with interchange fees, but that doesn’t mean that’s the only thing they pay for. Most people pay more interest than they earn in fees per year anyways shrug

Early on the customers were completely liable because the banks claimed that the only wait a fradulent charge could be made is if the customer "allowed" their PIN to get stolen. Eventaully they changed this and made it more customer friendly.

IN Europe the liability shifted to the non complying partner - which helped takeup.

Already the same in the US once EMV was rolled out.

That is the thing that it took me a while to understand once arriving in US from Europe. In Europe I did not care the least if someone managed to hack my credit card. The bank is liable. The bank is responsible to make as secure as possible. That is probably why we had credit card with chip & pin since the 80's. Banks had incentive to reduce the fraud as they could not easily pass it to the customers. But when I arrived here in US, I heard all those horror stories with fraudulent charges (and it happened to me too) and why I should take it seriously. And why I should protect my CC details ?!? (like my US social security number... but that is for another thread :) Coming from a country where CC used chip & pin for more than 30 years, and only have US embracing it (but only half-way) in recent years, is bizarre.

Coming from a country where your address and social security number are basically publicly-available information (so of course neither are used for anything sensitive), it took me some time to understand the fuss Americans tend to make about SSNs...

Yes, when I arrived my coworker gave me an orientation and highly suggest buy a paper shredder ?!? Why? I have never had a paper shredder before. I saw some at the lab I was working in Europe, but it made sense there (pre-2000 we use to print listing a lot). Yes, Social Security number is another oddness, with the credit score too :)

The banks may take on the liability but I assume they offload the risk elsewhere with insurance or pricing it in.

We pay for fraud with increased transaction fees.

Right, and so the trade-off seems completely reasonable to me.

If the bank has calculated that extra fraud costs less than the price mitigating it with additional security measures, and it is the one bearing the cost either way, then power to them!

I'm not sure I understand this. Fraud, and cleaning up after it, is not free of cost. If anything, fraud is more insidious because it costs the one thing I can't replace, which is time.

Even for me--someone who has multiple payment cards, primarily uses credit (instead of debit), a healthy savings account, and a flexible job--cleaning up from a stolen credit card number takes two or three hours at a minimum. For someone who does not have those things, particularly for people who primarily use debit cards[0], the impact is far worse.

If we swapped our cards to simply require a PIN that's validated by the chip on the card (so that in-person charges without the proper PIN cannot complete, even if the card is shimmed), that removes the bulk of in-person fraud attempts. But US banks are, largely, so fearful of customers switching away from them at even the slightest provocation, we don't get PINs. So I'm forced to ask what other "basic" measures (like 3D Secure for online transactions) we lack.

0 - I don't want to hear the rebuttal that "well, people should just use credit cards." There are a hundred different reasons why people don't use credit cards--don't qualify for one, have an objection to debt, past bad experience, and so on--and we cannot write off people who "only" use debit from security measures.

Overall, debit cards make much more sense than credit. Their purpose is just to move money across accounts, not to entice you to overspend and then prey on you if you forget the magic dance, or datamine your spending patterns. There is no intrinsic reason for credit cards to be safer.

This completely ignores the amount of worry and frustration which an ordinary person has to go through to get back to the point that only the bank are out of pocket. It's not trivial by any means.

You could also make an argument that by continuing to allow this fraud to happen we're funding all kinds of nasty people. I'm not convinced the argument holds water since bad guys are often faster to move than the banks but it's worth noting.

It’s a systemic issue. In jurisdictions where banks cannot shift the risk to the customers, they tend to be more effective.

In the few European countries I know, banks are very pro-active about card fraud and refund without asking questions if fraud happens anyway.

Nasty people will get funded anyway, but reducing fraud also reduces their income. The main drawback is that people have to use their PIN (and even that is getting rare thanks to contactless cards).

> They get away with this because consumers have absolutely no idea how cards differ and what the options are.

Do you have any tips/resources for how an interested consumer can become more informed (whether for personal or small business accounts)?

Would you be able to get this type of information you'd be able to get to through contacting support, if you know the right way to ask? Or would it be considered too sensitive for the bank to give out implementation details that easily?

What features make a secure credit card and how can a consumer verify their presence?

> because consumers have absolutely no idea how cards differ and what the options are

Well if there's a time and a place to educate people, it's here and now. Your knowledge would be appreciated, TIA

I think the bigger issue is not the terminals themselves, but the software behind it that's designed to process the payment from the track data.

Contactless magstripe (MSD) is a workaround that allows for a contactless payment, but really is just sending the same (insecure) track data through the backend software. Contactless EMV is the right way, but requires more sophisticated software.

Can you give any recommendations on banks that really get it right? How about the inverse?

My experience has been that all the banks that gave me cards were diligent in verifying suspicious transactions, often erring on the side of caution and asking for confirmation. Also, they don’t tend to argue much before refunding an illegal transaction.

So, from my point of view, it could certainly be improved (along the lines of what Apple Pay is doing with tokenisation: confidentiality is an issue), but there is no real reason to complain.

As long as fraudulent transactions are rare enough that the banks don’t drag their feet, it’s fine.

How can noobs like me assess how good any given POS is?

Is there a rating system?

Any way to inspect transactions to see the whatnots?

Knowing nothing, I've been doing as much as possible using Apple Pay, because IIRC they do some kind of token exchange, vs sending my digits across the wire.

On this topic, if anyone can point me toward a US-based issuer where I can open an account and get a card that supports credit pin (not pin for cash advance on a credit card), I'll happily venmo you a pizza or something. The issuers I have spoken to[1] all tell me it is impossible to get such a card in the US, which seems ridiculous.

[1]: https://wallethub.com/credit-cards/chip-and-pin/ I discussed each of the cards noted here with the issuers, not one is actually chip+pin credit.

* Spokane Teachers Federal Credit Union (Mastercard)

* Andrews FCU (Visa, one of the cards is also contactless) - Must ask for the "international travel" card, the default is chip-and-sign

* State Department FCU (Visa) - Must ask for the "international travel" card, the default is chip-and-sign

* Target REDcard Mastercard (you have to get the normal store card and hope to get swapped out to the Mastercard after a few months/years/epochs; you can't get the Mastercard from the first go)

Also the UNFCU credit cards.

I have inquired about this also and found no solution. If I use my US based credit cards abroad where chip and pin is the norm, I end up getting asked to sign a printed receipt.

I imagine the card networks just don’t want to spend money to change the infrastructure to support chip and pin because the merchant pays for most the losses in the US?

Had many arguments with cashiers in Europe who refused to let me sign receipts and insisted I just enter a pin.

I was (politely) threatened with arrest on a British commuter train when the ticket inspector's credit card device insisted on a PIN for an American credit card.

He literally didn't believe me when I said American cards still ask for signatures. By luck there was an American also riding in the cabin who piped up to verify my story and I was allowed to pay when I reached my destination.

In Australia the same card works with contactless payment, which never asks for a signature, up to AU$100. But as soon as I go over that limit it's a card dip + signature.

Also interesting how there are such specific requirements at grocery stories. None of my US-based cards could be used in several grocery stores in the Netherlands. When the cashier looked at my cards, they immediately knew it was because I didn't support whatever networks they expect.

Maestro or VPay they expected, the european old-school debit brands.

The liability shift in the US that affected most retailers occurred in October 2015 -- basically, merchants are and have been liable for fraud that occurs on swiped transactions. I'd be curious to find out how the example presented by the parent article could change this -- a valid-looking card that only has swipe would definitely be taken by a merchant for fraud, and if the card doesn't claim to be EMV-capable, it seems like this would not be the merchant's fault. I would think in 2020, however, a mag stripe only card would raise red flags with humans at the counter, but gift cards are this way, so perhaps they would just breeze right through.

Previous commenter and I were talking about chip and pin, not just chip (aka EMV).

With EMV, someone can still use your card after they steal it. With chip and pin, that is far more difficult. I don’t know if merchant off the hook even with just chip, I presume the card networks kept some weasel language in order to allow them to blame the merchant.

EMV is the standard for the debit/credit cards with chips. It includes modes with PINs, signatures, and neither, depending on the configuration of the card (i.e. the bank) and the reader (i.e. the shop's bank/intermediary).


First Tech Federal Credit Union offers Chip and Pin Mastercard.



What is the difference between Chip and PIN versus Chip and Signature? Chip and PIN is the most secure type of credit card technology. Instead of a signature being used for identity verification, it requires you to enter a four-digit Personal Identification Number (PIN) that must correspond to information contained in a computer chip embedded within the card. The Chip and PIN authentication method has been a global standard across Europe and Asia for many years which means using your card while traveling overseas will be even more convenient. Authorizing your transactions with a PIN is not new to debit card transactions, but is a new way to authorize payments with a credit card.

You may occasionally still be asked to sign for transactions while using your chip card. Please be assured that while these transactions are still secure, many merchants do not yet support chip and PIN so you may encounter this from time to time. First Tech is committed to ensuring chip and PIN technology is available wherever merchants accept it. Learn more at firsttechfed.com/mastercard.

Can confirm; I have First Tech and Spokane Teachers cards and both are chip-and-PIN. If either of them would start offering contactless on these cards, I'd have the perfect travel card.

I joined First Tech just to get that Chip and PIN card. It worked great everywhere I went in Europe.

Last I knew Barclays is the only one who offers a credit PIN that you can use at kiosks that only accept PINs. I also heard Navy Federal was rolling it out but their services are a military+family only

This article says there's a few, ymmv


Barclays has chip and PIN capability, but it doesn't default to PIN if signature is available - it will only trigger if that's the only verification method, which is almost never the case in the US.

(Source: I have one, and the only time I've entered the PIN is at a British train ticket machine.)

I believe AmEx charge cards (Green, Gold, Platinum, possibly others but these are the good ones) are all chip-and-pin. The Blue Cash one on that website isn't.

My Gold is definitely not chip-and-pin. Chip, yes. Pin, no.


OK, so if I grasp this, the problem is that an EMV skimmer gets the card number and an iCVV. The bad guys make a stripe card with that number and the iCVV.

That should not work because banks are supposed to look for the iCVV only on dipped transactions, and look for the CVV on swiped transactions (and the CSC for online/telephone transactions).

Some banks apparently left out the logic of matching the type of code to the transaction method, and so using iCVV in place of CVV works for them.

Even if all banks got this right, though, it seems to me you could still get fraud. The CVV is only three digits. Once you've got the card number just make a stripe card and guess the CVV. If it fails, try another CVV. As long as you don't do too many guesses too close together and cause the bank to lock out the card, you should eventually find the right CVV.

Even if the bank is very trigger happy on fraud lockouts, if your skimmers got several thousand card numbers you are going to have many CVV guesses turn out to be right the first time.

Instead of the stripe on cards that have both EMV and stripe being just a copy of the same card that is in the EMV side of things, shouldn't they be separate? The issuing bank should issue two logical cards for the underlying account, with one being EMV only and one being stripe/online only.

I would hope that a card would be flagged as suspicious before a hundred tries. They’d still could get some transactions through, but that would cut the success rate by a couple of orders of magnitude compared to just hoping that the bank won’t check.

What really needs to be done is letting go of the magnetic stripe.

A Monzo engineer describes nonconformance with specs which might lead some card issuers to be more liberal with what they accept: https://twitter.com/erincandescent/status/128153445694436147...

That was interesting, thanks for sharing it here.

I use my chipped card frequently when going to the grocery store. Pretty much 20% of the time, it won't read the chip, reporting "Chip Malfunction". Even wiping any sort of gunk off the chip contacts doesn't fix it. So you have to go through 3 failed read cycles before it will let you use the mag strip on the back.

Going back to the store a few days later and the same machine will work, I wonder how often the machine's readers are cleaned.

A cashier gave me a tip once. Try pushing on the face of the card so the chip end is levered up against the machine tighter. It seems like there is something wrong with the contacts in the reader and do not make appropriate contact with the chip.

I've had problems with the chips themselves. I had a card whose chip worked perfectly for maybe a year or more before I lost it. The replacement chip worked for about a week then I'd get a chip error every time and everywhere. So I got another replacement which didn't work out of the envelope. So I got a third replacement and it worked exactly one time before breaking.

At this point I've just given up and insert the card three times before being forced to use the mag strip. I don't even know what else to do...

What if you sidestepped all the chip cleverness and just put cameras to capture the name, CC number, expiration and 3 digits? You'd still need a billing address I guess, but you might be able to get that by looking up the name and disambiguating using the location of the terminal.

> What if you sidestepped all the chip cleverness and just put cameras to capture the name, CC number, expiration and 3 digits?

Apple Cards have just the name on them, which is a nice step in the right direction. (No contactless, though, which is weird.)

Apple Cards also have the nice feature that the entire mag-stripe CC number is virtual and different/distinct from the number used by contactless/Apple Pay, the number used by the EMV, and the number given by the App for cases where something requests you manually type in a CC number. Most of those numbers can be changed in the App when needed. So even in the cases where someone skims or leaks an Apple Card CC number you typically have more protection than an average card.

Why would you need it, you've got an iPhone right?

(semi serious here - I'm sure they want you to use Apple Pay)

A contactless card just proves physical possession of the card. An Apple Pay payment means that a password or biometric authentication was performed, AND possession of the device, which raises the barrier to fraud. So there is a good reason to wanting to discourage the use of the card when possible.

There is a little thing called COVID. All my main payment cards are contactless now. I am not an Apple card customer.

Sure, but if you have an Apple card you're going to have an Apple phone, most probably, and that can do the contactless bit for you. Not sure if apple cards and android phones work, but android-pay is the other option for most cards.

Both are more secure than using the card directly with contactless - you have verified to your phone that it is you using it, by logging in with face ID, touch ID, passcode, PIN, whatever. It's a form of cardholder verification that is missing when you use the card.

That was my (slightly snarky) point - you don't need contactless on the card when you have a smart device that does it better.

I'm not an Apple card customer either, but I use Apple pay with my cards usually on my watch, although once in a while it doesn't work at a terminal and I have to pull out my phone (which is annoying since facial recognition doesn't work with a mask on). I understand similar things exist for Android.

If you want more convenience in your contactless payments, Apple suggest that you get a more recent Apple Watch.

(Also semi-serious.)

My credit union cards still have the old-style credit card number on the front (but no raised digits for the ker-chunk machine). My Chase card has the numbers in small type on the back in a non-contrasty color. It's not possible to read in non-ideal lighting conditions.

What I like about those is that you can stack more cards in the same space.

And the embossed cards tend to have their ink rub off anyway.

But I rarely take either card out of my wallet. I use Apple Pay almost everywhere.

A lot of merchants are starting to use 3D Secure now which is essentially two-factor authentication.

Starting to?

It's been pretty standard for over ten years... (I'm in the UK, I have no idea how our market compares to yours)

I said "starting" to include the US which I expect to be still far behind. I agree that in the UK it's been standard and in fact EU regulations now make this mandatory anyway.

> It's been pretty standard for over ten years.

It's unheard of in the US.

I used to live in the UK (and still visit often) but now live in the US. You'd be amazed how far behind US banking is, even compared to the UK ten years ago.

It’s common in Europe (I think it’s even mandatory now, though not necessarily for each transaction).

I'm in the US and have never heard of it.

I've seen it once or twice ever and I didn't know the password it wanted.

Depends on where you bank I suppose. Also depends on where you credit.

I can't use my bank card without mutual validation, same with my credit card. Even if you do it manually we still get a challenge-response that you use a hardware device or an app for.

Vendors get much less protection when doing a card not present transaction. They also usually pay higher fees. There are also cases where an additional layer of security is used, visa secure

Another method would be a standardised QR code so that you can make a transaction from your app by scanning the qr code.

I don’t know about other countries, but this is basically the premise of QRIS Technology [0] used in Indonesia, basically to put an end on competing in QR-based payment method.

[0]: https://www.bi.go.id/QRIS/Contents/Default.aspx

The one thing I like about the credit card system (as opposed to "app" pay system) is that the usability is so much better. You don't have to worry about your phone being smashed or running out of battery. It's also less work than a phone, all you need to do is wave your card in front of a reader. No need to get out your phone, unlock it, open the app, wave around your camera so it scans, and finally confirming the payment. Not having to install a potentially privacy invading app is also a plus.

Wouldn't work in a lot of places where there's no LTE reception, though that will probably change with things like 5G and Starlink.

I also wouldn't want my ability to pay to be tied to my phone. Not only do I want to be able to pay for things even when my phone is dead, but it just seems like it would add yet another vector of attack to steal my money.

> > Another method would be a standardised QR code so that you can make a transaction from your app by scanning the qr code.

> Wouldn't work in a lot of places where there's no LTE reception,

I happened to read about this recently (https://www.emvco.com/emv-technologies/qrcodes/), since it's going to be the base of Brazil's new instant payment system to be released later this year (PIX - https://www.bcb.gov.br/estabilidadefinanceira/forumpagamento...).

From what I understood, it does have a way to do offline transactions. There are two kinds of QR codes: one which is scanned by the app and used for both online and offline transactions, and a second kind used when offline which is presented by the app and scanned by the POS. This second QR code contains data similar to what a chip card would return to the reader during an offline transaction, so the transaction flow after that point is similar.

Hold on. PIN is not secure either. With the card reader, you can verify the pin locally: You don't need anything but the card and a card reader. No internet, no nothing.

Since the verification can be done on the client side entirely it's subject to hacking. You can freeze the chip, slowing it down so you can actually see it run under a microscope. You can make it read-only (so the pin miss is not recorded on the chip, aso aso).

There are recorded cases where the card also held a digital wallet and students made it read only so they had an infinite wallet for small expenses ...

Most credit card fraud happens by cloning an existing card because the victim will stay unaware of the crime. If you physically steal a card it will be frozen by its owner who will also pay close attention to suspicious transactions.

Does anyone have a good detailed article on the crypto behind iCVV/dynamic CVV? This article summarizes how it works, but I haven't found a good detailed article after much googling

I found this from a public FirstData document:

"Codes written on the track with equivalent data stored on the chip to prevent fraud. All chip cards are issued with the card security code on the track data stored on the magnetic stripe and chip card security code stored on the chip. Calculated with the same DES key but with a ‘999’ service code"


Hard to read this site when it's not responsive and the one time I want chrome to offer reader mode, it doesn't.

afrcnc 15 days ago [flagged]

Can we link to the actual research instead of this people-doxing clown's article?

Source: https://geminiadvisory.io/cybercriminals-deploy-emv-bypass-c...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact